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MEMORANDUM FOR: Legislative Counsel 

ATTENTION : ....... 

SUBJECT : Comments on S. 3418- -Federal Privacy Board 


1. Because of the length of this bill, as well as the 
possibility that the Agency would be exempt from its provisions, 
we are setting forth in this memorandum- a few comments on 
potential problem areas and are attaching as an annex a 
summary of its detailed provisions.-. 

2. The bill would establish a Federal Privacy Board, 
with five members appointed by the President and confirmed 
by the Senate. The Board would publish annually a Data Base 
Directory of the United States, containing, data on all personal 
information systems. Several powers for- implementing the 
provisions of the bill are given to. the Board, and it would 
report annually to the Congress and the President. 

3. Detailed requirements and procedures for Federal 
agencies, state and local governments , and all non-governmental 
organizations are set forth, and there are several special 
requirements for Federal agencies only. -All covered organi- 
zations must give annual notice to the Board and the information 
required is very detailed. Organizations must notify persons 

on whom they have information of this fact and obtain their 
consent for certain transactions, and the individuals can 
correct or update this information... 

4. The Act would not apply to personal information systems 
maintained by a Federal agency whose head, determines that 
release of such information would seriously damage the national 
defense. Also exempted are criminal investigatory files of 

law enforcement agencies (with some, caveats), and the files 

of the press and news media (except- for files on their employees) . 

5. There is a special clause forbidding any organization 
to require an individual to disclose his social security 
number in connection with commercial- and other transactions. 
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6. There are the usual sections, oiv criminal penalties and 
civil remedies, as well as definitions of key terms. 

7. If the Director can in fact exempt the Agency's 

personal information files and records from. the<*pro vis ions 
of this Act, then it presents no difficult problem, as^ there 
do not appear to be any records* -the* disclosure of whlch ^fould 
not damage the national defense,- — - - 

8. On the other hand, if far any reason the Agency should 

be determined to be subject to thi.4 ^Act » requirt- 

ments for notification and reporting -to -the- federal Privacy 
Board, the general public, and tu«tfie individuals .on whom the 
Agency maintains personal information, it- would be^in deep 
trouble. For example, there is the requirement J n | 

foreign national, whether or not residing in the United States, 
the same rights under this Act as American citizens would have. 
There is the maintenance (internally) of lists of all persons 
(Agency employees) having regular access to the personal infor- 
mation in the system. Annually, the Agency would have to 
prepare the very detailed notice for the Board, ^including 
information on the procedures whereby an individual may be 
informed of information on him and how he can contest its 
accuracy. Very little could be done with Agency-held personal 
information without the consent of the subject individual and 
he would be entitled to know the source of such data. In 
other words, all these detailed provisions would hamstring 

the Agency in operating its information systems and would 
endanger the security of its operation. 




Chief, Information Systems Analysis Staff 
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Comments on S. 3418- - Federal Privacy Board 


1. This bill would establish in the executive branch 

a Federal Privacy Board, consisting of five members appointed 
by the President and confirmed by the Senate, These members 
would be from the public at large, exclusive of officials or 
employees of the U. S. Government. They would be paid as 
GS-18* s and would be forbidden from engaging in any other 
employment during their three-year terms. 

2. The Board would publish an annual Data Base Directory 
of the U. S. containing data on each personal Information 
system. The Board would also consult with heads of departments/ 
agencies in implementing the provisions of the Act, make rules 
to assure compliance with the Act, and conduct research 
activities as may be necessary to implement the Act and assist 
organizations in complying with its requirements. 

3. The Board would be authorized as follows: 

a. to be granted admission at reasonable 
hours to premises where any Information system, 
computers, or equipment or recordings for auto- 
matic data processing are kept, and may compel 
the production of documents relating to such 
information system or processing; 

b. to order an organization found to be 
violating the Act to cease and desist from such 
violation; 

c. to delegate its authority with respect 
to information systems within a State (or D. C. ) 
when satisfied that the State is enforcing the 
Act satisfactorily; 

d. to hear petitions for exceptions or 
exemptions to the Act, (only authorized response 
is recommendation of action to Congress) ; and 

e. to the fullest extent possible consult 
with heads of departments /agencies of Government 
in implementing the functions of the Board. 

4. The Board would report annually on its activities to 
the Congress and to the President. 

5. Any Federal agency, State or local government, or 
any organization maintaining an information system including 
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personal information would be responsible for the following: 

a. collect, maintain, use. and disseminate 
only personal information necessary to accomplish 
a proper purpose of the organisation; 

b. get the information from the subject 
directly when possible; 

c. have categories of information for use 

in confidentiality requirements- and. access controls; 

d. maintain information with accuracy, 
completeness, timeliness and peri inence to 
assure fairness to subject; 

e. make no dissemination to another system 

without specifying security and use limits, and 
determining that it is likely ihese will be 
observed; - 



f . transfer no personal information outside 
the United States unless a treaty or executive 
agreement guarantees compliance with this Act; - 

g. afford any foreign national, whether 
residing in the United States or not, the same 
rights under this Act as U. S.-eitizens would 
have; 


h. maintain a list of alL persona having regular 

access to personal information in the information . 
system; - 

i. maintain complete records of mscess to 

personal information by anyone-not having regular 
access authority; . . ... ..... .... . 

j. establish rules of conduct and inform 

each person involved in any aspect of running the 
system of the requirements of this Act; - 


k. establish safeguards to reasonably assure 
the system's security; 


1. on receipt of writtenu-complaint , take 
steps to remove complainant’s name from any mailing 
list of the organization; and 




IjSE DULY 


Approve 


■or^etease 2003/04/29 : CIA-RDP84-00780R0061 001 10028-5 


I 


Approved For Release 2003/04/29 : CIA-RDP84-00780R0061 001 10028-5 




siil 




w 

L 


frHOL i 




ONLY 


- 5 


m. collect no personal information con- 
cerning religious or political beliefs, 
affiliations, and activities unless authorized 
by law. 

6. Any such organization maintaining an information 
system that disseminates statistical reports or research 
findings based on personal information drawn from the system 
would have to make available to any data subject or group 
the methodology necessary to validate statistical analyses, 
and make no such materials available for independent analysis 
without guarantees that no personal information would be 
used in such a way as might prejudice judgments about any 
data subject. 

7. No Federal agency should: 

a. require any individual to disclose 
for statistical purposes any personal infor- 
mation unless such disclosure is required by 
law and the individual is informed of such 
requirement ; 

b. request any individual to voluntarily 
disclose personal information unless such 
request is specifically authorized by law 

and the individual is advised that such 
disclosure is voluntary; 

c. make available to any unauthorized 
Federal employee any study or reports derived 
from any file containing personal information 
except those prepared, published and made 
available for general public use; or 

d. publish statistics of taxpayer income 
classified on the basis of a coding system for 
the delivery of mail. 

8. Any such organization (Federal, State or other) 
maintaining an information system for personal information 
would have to: 

a. give annually to the Federal Privacy 
Board notice of the existence of such a system; 

b. give public notice annually of the 
existence and character of such system (Federal 
organizations in the Federal Register, other 
organizations in local media); 
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c. in case of a new system or substantial 
modification of an existing system, give public 
notice and notice to the Federal Privacy Soard 
in not less than three months and 

d. be sure that the public notice includes 

the following: . - 

(1) the name of the system;, 

(2) the general purpose of the 
system; 

(3) the categories of personal 
information and approximate 
number of persons on whom 
information is maintained; 

(4) the categories o£ information 
maintained, confidentiality 
requirements, and access controls; 

(5) the organization's policies 
regarding information storage, 
duration of retention of infor- 
mation, and purging of such infor- 
mation; 

(6) the categories of information 
sources; 

(7) a description of types of use 
made of the Information, including 
all classes of users, and organi- 
zational relationships among them; 

(8) the procedures whereby an individual 
may be informed if information on 
him is in the system, how he can 
gain access to the information, and 
how he can contest the accuracy, 
completeness, timeliness, pertinence, 
and necessity for retention of the 
information; 

(9) the procedures whereby an individual 
or group can gain access to the 
information system used for statis- 
tical reporting or research in order 

to subject them to independent analysis; 
and 
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9. 

should: 


(10) the business address and. ~ 

telephone number of the person 
immediately responsible for 
the system. 

Any organization maintaining personal information 


a. inform any individual asked -to. supply 
personal information whether it is required by 
law or may be refused, and the specific con- 
sequences of providing or not providing the 
information; 

b. request permission of ~a data subject 
to disseminate all or part of- the information 
to another system not having regular access 
authority, and indicate the use -Intended and 
the specific consequences to the individual; 

c. grant to a data subject the. right to 
inspect (1) all personal information about 
him, (2) the sources of the information, (3) 
and who receives the information; 

d. make the disclosures required by the 
Act to data subjects (1) during normal 
business hours, (2) in person or by mail, 

on proper identification, at reasonable 
standard charges for document search and 
duplication, and (3) permit the data sub- 
ject to be accompanied by one person of his 
choosing; - 

e. when advised that a data subject 
wishes to in any way modify the information 
about him in the system, the organization 
shall: 

(1) investigate and record the 
current status of such infor- 
mation; 

(2) purge any incomplete, inaccurate, 
nonpertinent, nontimely, unneces- 
sary, or unverifiable information; 

(3) include in the record a state- 
ment of the data subject as to 
his position on any disputed 
portion of the information; 
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(4) in any dissemination of the 
disputed information, note 
that fact and include the 
subject's statement; 

(5) make plain to each individual 
his right to make a request 
under this paragraph; 

(6) on subject’s request, notify- - 
past recipients of any purging 

or correction of the information; 
and 

(7) advise the individual of his 
right to assistance from the 
Federal Privacy Board in case 

of unresolved disputes. 

10. Each organization 

system when this Act is enacted would ha^^to not ify_by »ail 

each data subject of that fact, including ^(a)^thetypeo 
information held and its expected^uses, and_X^) ^ ^ infer-, 

address of the place where he could obtain the personal 

mat ion pertaining to him in the system. jr- 

11. Data subjects of archival “type- inactive 

should be notified by mail of the .reactivation of such files 
within six months after enactment of this act. 

12 Certain specific subsections of, -this Act would not 
apply to any organization whichmaintains^aninformaon 
system disseminating statistical report abasedon personal 
information drawn from that sy, tensor those- of “flying 
7 »tionsV. purges the names, numbers or other i den ti tying 
p^ticuUrs ol individuals i and c.r-tifiw t^th^Fodoral 
Privacy Board that no inferences may be drawn about any 
individual. 


13 . 
systems : 


This Act would not apply to personal information 


a. to the extent that such system Is 
maintained by a Federal agency whose . 

determines that the release of the- Information 

would seriously damage national defense. 
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b. which are part of active criminal 
investigatory files of law enforcement agencies 
(except where the files have-been maintained 
longer than necessary to begin- criminal 
prosecution) ; or 

c. which are maintained by press and 

news media (except information relating to 
employees of such organizations}-.. — - 

14. It would be unlawful for any organization to 

require an individual to disclose h4s -social security 
number iri connection with any commercial activity , or to 
refuse to extend credit, make a loan, or enter into . 

other business /commercial relationsbip with an individual 
who does not disclose such number unless disclosure is 
required by law. (This does not apply in the adminis- 
tration of the insurance programs under Title II of the 
Social Security Act.) 

15. Among the miscellaneous provisions of the Act 

are definitions for several key terms used therein, such as ^ 
"information system,” "personal information," "data subject, 
"organization," "purge," and "Federal Agency." Also, no 
organization could reveal any professional, proprietary or 
business secrets except as required under the Act. - 

16. Criminal penalties (fine up^-to. $10,000, imprisonment 
not more than five years, or both) are prescribed for an 
organization or a responsible off icer of same- who ( a ) 

an information system without notifying the Federal Privacy 
Board or (b) issues personal information in violation of the 

Act. 

17. Civil remedies include -the following: 

a. the Attorney General (on advice of the Board 
or any aggrieved person) may bring 41 * court action 
against any alleged violator or- potential violator 

of the Act; and 

b. any person who violates the Act is liable 

to an aggrieved person for actual damages , punitive ^ 
damages (when appropriate) , and reasonable attorneys 
fees. The United States consents to be sued under 
this section of the Act. 
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18. Any individual who is~ denied access to information 
required to be disclosed under this Act is entitled to 
judicial review of the grounds for such denial. The District 
Courts of the United States have jurisdiction in such cases. 

19. The effective date would be -one-year after 
enactment of this Act. 
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